1995-08-17 - Re: SSL challenge – broken !

Header Data

From: liberty@gate.net (Jim Ray)
To: Joe Buck <jbuck@Synopsys.COM>
Message Hash: 2b20b1f6dec7aed0a417677846b05828e75ca6e269bb0e3b03f937313ffbc94d
Message ID: <199508170312.XAA45301@tequesta.gate.net>
Reply To: N/A
UTC Datetime: 1995-08-17 03:14:26 UTC
Raw Date: Wed, 16 Aug 95 20:14:26 PDT

Raw message

From: liberty@gate.net (Jim Ray)
Date: Wed, 16 Aug 95 20:14:26 PDT
To: Joe Buck <jbuck@Synopsys.COM>
Subject: Re: SSL challenge -- broken !
Message-ID: <199508170312.XAA45301@tequesta.gate.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Joe Buck <jbuck@Synopsys.COM> wrote:

<snip>

>Yes, it's true that {fraud} contributes to high interest rates (though
>defaults cost more than fraud).

Sometimes there's little difference.

<snip>

>> They only *sometimes* find the person/loot.
>
>Doesn't matter, this is a disincentive to theft and you are never liable
>unless you lost your physical card.

I was referring to my previous point, whether or not you're
*individually* liable, "somebody" always pays.

<snip>

>It would cost billions to get every single merchant that accepts credit
>cards set up with PIN equipment.

Agreed. Fraud/defaults cost billions too, the billions I propose
spending would be a one-time, rather than yearly, cost.

>
>> Why not PIN numbers.

<snip>

>
>You have to make sure the clerk that gets your order doesn't see the
>PIN (so you need a secure path between you and your credit card co.
>that avoids the merchant).

I was thinking of some piece of hardware the clerk could hand you,
but "shoulder surfing," by the clerk or by other customers, will
always be possible, just as with ATMs or phonecards.
My idea isn't perfect, just better than the present reality, IMO.

>And what about the tellers?  Do you know
>how badly they are treated?  They can get all those #'s.  Yes, it
>can be done: ATMs are set up that way.  But as long as it's not done,
>those who scream at the horrors of sending credit card #'s over the
>net aren't thinking clearly.
>
>Never forget that social engineering is the easiest hack.  Technical
>solutions that ignore wide-open social engineering paths are worse
>than useless (worse because they give an illusion of security).

Agreed. My idea *is* imperfect. Social engineering works well.
I just don't want to let the great be the enemy of the good,
and the credit card fraud situation now is intolerable.
JMR


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Freedom isn't Freeh

iQCVAwUBMDKxtm1lp8bpvW01AQFiCQQArDkX2OS/9FitoMYfKHa2K5O9UsAw+Yv9
yVrp1T8NtvieQkVMEpAbhAq3ISEcam2WsVOAOUPT7goK4yyzSz2UURaDsAru8kRO
66A9p0QSmS7sciNV4N2tGz/KlM44wV8axNs/9R9AAktnHhD/YbhtF0ONXTUXzrDi
FwTSwgVD71o=
=a9+Y
-----END PGP SIGNATURE-----
Regards, Jim Ray

"The important thing is not to stop questioning. Curiosity has its
own reason for existing. One cannot help but be in awe when he
contemplates the mysteries of eternity, of life, of the marvelous
structures of reality. It is enough if one merely tries to comprehend
a little of this mystery every day. Never lose a holy curiosity."
 -- Albert Einstein
------------------------------------------------------------------------
PGP key Fingerprint  51 5D A2 C3 92 2C 56 BE  53 2D 9C A1 B3 50 C9 C8 
Key id. #  E9BD6D35
------------------------------------------------------------------------
Support the Phil Zimmermann (Author of PGP) Legal Defense Fund! 
email:  zldf@clark.net or visit http://www.netresponse.com/zldf
________________________________________________________________________






Thread